Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision | ||
en:shibidp:troubleshooting [2023/03/02 10:23] – Engl. version of how to find the SAML assertion Silke Meyer | en:shibidp:troubleshooting [2023/03/02 12:10] – finished translation Silke Meyer | ||
---|---|---|---|
Line 63: | Line 63: | ||
</ | </ | ||
</ | </ | ||
+ | |||
+ | ===== Attribute samlPairwiseID does not have any transcoding rules ===== | ||
+ | Shibboleth IdPs 4.x that were **upgraded from a version 3.x** do not automatically use the attribute registry. The configuration file '' | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | Alternatively, | ||
+ | |||
+ | Note that the '' | ||
Line 76: | Line 87: | ||
" | " | ||
- | You get this error message when the Service Provider cannot find any metadata for the Identity Provider. | + | You get this error message when **the Service Provider cannot find any metadata for the Identity Provider**. |
* Check if you have added the IdP to the metadata administration tool and if it was added to the respective federation correctly (DFN-AAI-Test, | * Check if you have added the IdP to the metadata administration tool and if it was added to the respective federation correctly (DFN-AAI-Test, | ||
* Compare the Entity ID in '' | * Compare the Entity ID in '' | ||
* After a change to the federation metadata, keep in mind that you have to wait for 60-90 minutes for the metadata to be aggregated and redistributed to all SPs. | * After a change to the federation metadata, keep in mind that you have to wait for 60-90 minutes for the metadata to be aggregated and redistributed to all SPs. | ||
+ | |||
+ | ===== No metadata returned ===== | ||
+ | When you see the following message in your '' | ||
+ | (...) in role {urn: | ||
+ | |||
+ | * Please check where the IdP should know the SP from: | ||
+ | * from federation metadata? | ||
+ | * from your organisation' | ||
+ | * from an xml metadata file that you added manually to '' | ||
+ | * Remember that - in the first two cases - you have to wait for 60 to 90 minutes for the changes to propagate. | ||
===== The application you have accessed is not registered for use with this service ===== | ===== The application you have accessed is not registered for use with this service ===== | ||
Line 106: | Line 127: | ||
* Check the IdP's DEBUG-Log. Compare the saml:Issuer from the AuthnRequest with the EntityID you are trying to contact. If there is a different issuer string in the Authentication Request the IdP cannot find the issuer in the federation metadata. Contact the SP operator in this case. | * Check the IdP's DEBUG-Log. Compare the saml:Issuer from the AuthnRequest with the EntityID you are trying to contact. If there is a different issuer string in the Authentication Request the IdP cannot find the issuer in the federation metadata. Contact the SP operator in this case. | ||
+ | ===== DecryptNameIDFailed ===== | ||
+ | If you see the error message "A non-proceed event occurred while processing the request: DecryptNameIDFailed" | ||
+ | ===== Reset a configuration file to default ===== | ||
+ | Your IdP keeps copies of all original files in the folder '' | ||
+ | |||
+ | ===== Duplicate attributes in Shibboleth IdP 4.x ===== | ||
+ | If you notice that your IdP 4.x transmits duplicate attributes, you probably have copied the file '' | ||
+ | |||
+ | ===== Duplicate Transcoding Rule ===== | ||
+ | If you get the error message below, you probably have a duplicate attribute in your Attribute Registry. Maybe you imported attributes from a file like our dfnMisc.xml ([[de: | ||
+ | |||
+ | <code bash> | ||
+ | already the child of another XMLObject and may not be inserted into this list</ | ||
+ | |||
+ | ===== IdP/SP is no longer part of the eduGAIN metadata ===== | ||
+ | |||
+ | Our downstream eduGAIN metadata (the eduGAIN metadata we distribute to DFN-AAI) have never contained entities from DFN-AAI. We filter them out because your systems already know them from DFN-AAI metadata and we do not want to distribute duplicates. To check whether an entity is part of the eduGAIN metadata, please search for it in the [[https:// | ||
===== IdP is not displayed in Discovery Services ===== | ===== IdP is not displayed in Discovery Services ===== | ||
Line 115: | Line 153: | ||
* You have ticked the checkbox "hide from discovery" | * You have ticked the checkbox "hide from discovery" | ||
| | ||
+ | ===== SP Metadata: AuthnRequestsSigned and WantAssertionsSigned ===== | ||
+ | |||
+ | A Service Provider can announce in its metadata that it | ||
+ | * signs Authentication Requests it sends to IdPs, and/or | ||
+ | * wants to get signed SAML assertions back. | ||
+ | |||
+ | Our metadata administration tool only displays this information if it is included in the xml files upon initial upload to the metadata administration. Please extend your SP metadata like this:< | ||
+ | | ||
{{tag> | {{tag> |